Hi all,

Where do I reconfigure 'comments' permissions in a backdrop site?

People are finding it impossible to leave comments about articles on our site. Everyone seems to be told they are spam unless they identify as known contributors/authors/administrators. 

Also, What is the difference between 'Open comments' and 'Closed comments' in 'Default comment setting for new content.'

Thanks for any help. :-)

Most helpful answers

This is where you look for which modules are installed and enabled. Look for any modules that look like they might be a SPAM prevention module. For example:

  • Captcha
  • Antibot
  • Spambot
  • Honeypot
  • Antiscan
  • Askimet

I would specifically look to see if you are using Askimet. 


I'll start with the easy one, "open comments" simply means that new comments are welcome on this piece of content. Whereas, "closed comments" would not allow any new comments. 

It is possible to create content with "open comments" and allow comments on a post or article, but then later close the comments, which would prevent any new comments but continue to show existing comments.  

You can choose whether you want comments open or closed by default on new content. In some situations, all new content might have commends closed, with the ability for site editors to open comments when desired. 

In terms of users being blocked because of SPAM, I'm quite sure that this has to do with whichever anti-spam module you are using. I don't believe Backdrop CMS has any anti-spam features in core, but there are several contributed modules which handle this task. 

Some anti-spam modules are more aggressive than others. I don't think there are any sure fire modules that are always correct about when to block a comment as SPAM or when not to. So, you need to experiment with anti-spam modules and configuration until you get the mix you like. 

If you share more about what module you are using to block SPAM, we might be able to provide additional feedback on how to re-configure it or which alternative to use.

Thank you.  I changed the settings to 'open comments,' but still got the SPAM message.  How/where do I look for the module we are using to block SPAM please?

Really appreciate your help.  I am very naive to website management.


This is where you look for which modules are installed and enabled. Look for any modules that look like they might be a SPAM prevention module. For example:

  • Captcha
  • Antibot
  • Spambot
  • Honeypot
  • Antiscan
  • Askimet

I would specifically look to see if you are using Askimet. 

We are using 'Protected Forms' and Honeypot.

For Protected forms I removed https from the banned words, for the moment, but that was not really relevant to my rejected test post. With regard to Honeypot, it seems that it is over-applied, although I'm not sure what to limit it to, assuming I find some boxes to check.  I would have thought that is was only applicable to comments on articles, which it currently seems to block for everyone unless they are a registered, logged-in user. This defeats the purpose of our website, which is multi-author environment and politics and invites comments. If you look below you can see that the Honeypot element name has been given as URL and its time limit is 4 seconds.  Are you able to comment on any of this? Many thanks for help so far:

Honeypot configuration

Protect all forms with Honeypot

Enable Honeypot protection for ALL forms on this site (it is best to only enable Honeypot for the forms you need below).

Log blocked form submissions

Log submissions that are blocked due to Honeypot protection.

Honeypot element name *URL

The name of the Honeypot form field. It's usually most effective to use a generic name like email, homepage, or link, but this should be changed if it interferes with fields that are already in your forms. Must not contain spaces or special characters.

Honeypot time limit *4 seconds

Minimum time required before form should be considered entered by a human instead of a bot. A reasonable time-limit is 5 seconds. Set to 0 to disable.

You simply try disabling either of these modules and to see if they are the culprit. 

If you are able to attend our weekly office hours, this is a great chance to ask questions and have an experienced volunteer look at your site with you. 


Please, be sure to report back here if you figure out the problem.

Okay. When I disabled Protected Forms, I was able to post a comment for a non-registered person.  Odd that the comment I was trying to post did not contain any of the elements that Protected Forms listed as banned.  Later I also reduced the application of Honeypot to comments, rather than to everything. Will I be inundated with spam now, I wonder... We used to have to kill spam every morning with the old drupal blog.

Anyway, thank you very much again for your help.  I did attend the three day workshop you guys held about a month ago and it was great, really fabulous!  I keep meaning to attend the weekly office hours but something always prevents me, so far.

I do have a couple more difficult problems that I will seek help with, soon.

Many thanks again. :-)


Will I be inundated with spam now

A discussion that might help:


You will need some SPAM prevention. You might just need to try a different module. 

Antibot has worked well for a lot of people, unfortunately there is no silver bullet that works for everyone. Feel free to open a new discussion here in the forum about SPAM prevention modules.

If your goal is to protect the forum from bots, then I recommend trying the Antibot module. This module uses original and newer bot detection technology than older anti-spam modules. It secretly monitors whether the user who posts a comment is using a keyboard or a touch screen and, in the absence of such, blocks access to the comment form (and any other forms). The form is also blocked if the visitor does not interpret the JavaScript code used by this module. Thus, the module very efficiently eliminates bots that do not use a keyboard, touch screen and JavaScript, and at the same time its action is imperceptible to human visitors.

However, this will not protect you from malicious human visitors, for whom another solution must be sought, and it would probably enable protection against a reasoned analysis of the content of the post.